[Jenda_]

There are many more files that will need this protection:

- autorun and keyboard shortcuts of your window manager -- one can hook an evil command to Ctrl+C

- ~/.mozilla -- you can add arbitrary javascript to your profile or extensions

- any application which does not expect to have its config externally tampered with and this may result in various errors including RCE

- ~/work/FooProject/Makefile, configuration of your IDE (which contains list of commands that shall be executed to compile)

etc.

An explicit allowlist would be a better option, IMHO perfectly manageable - with a popup window "the app wants to access <file>, allow once | allow permanently | deny".